Smartphone users would like to think that if they lost their device, it would be picked up by a Good Samaritan, rather than someone with malicious intentions. But they shouldn’t bet on it, says one security firm.
In a recent study, Symantec researchers intentionally “lost” 50 smartphones at various locations in five different North American cities. The phones were loaded with simulated sensitive personal and corporate data, as well as applications to remotely monitor what happened to the devices. Password protection was turned off on all the devices.
The researchers’ key questions: Would those who found the smartphones try to return them, and would any try to access the data on the phones?
The results aren’t encouraging: Only half the people made any attempt to return the device they found. And even those that did still tried to access data on the phone.
In fact, the finder tried to access information in 96% of cases. For some, they were likely just trying to find a way to contact the owner of the device. But many attempts were made to access more sensitive information. For example:
- 83% of finders tried to access corporate information, including documents with labels such as “HR Salaries” and “HR Cases”
- 60% tried to read emails or access social media accounts
- 57% tried to open a file called “Saved Passwords”
- 49% tried to run a decoy “Remote Admin” app that appeared to allow access to a remote computer or network, and
- 43% tried to use a mobile banking app
This study should have a clear lesson for smartphone users and IT departments: Smartphones used for work must be password protected and have the ability to remotely wipe data if the device is lost or stolen.
Symantec also recommends that organizations take inventory of mobile devices that access their networks, so they know what devices they must manage. Also, companies should develop a formal process that is to be followed if a mobile device is lost or stolen and train users on how to keep their devices safe.